The breach happened at one of the agency’s subcontractors and didn’t involve any data collected under its facial recognition program, officials said.

Customs and Border Protection officials on Monday said personal information the agency collected on travelers entering and exiting the U.S. was exposed in “a malicious cyber-attack.”

The breach occurred after one of CBP’s subcontractors illegally transferred images of travelers and license plate photos collected by the agency to its internal networks, which were then compromised by the attack, according to a CBP spokesperson. The agency declined to name the subcontractor that was compromised.

The breach exposed photos of fewer than 100,000 people traveling in their vehicles “through a few specific lanes at a single land border port of entry,” a CBP official said in an update Monday night. The images were taken over a period of roughly one and a half months, the official said, and no other identifying information was included with the images.

No photos from passports or other government travel documents were stolen in the breach, nor were any of the images collected through CBP’s biometric entry and exit program, according to the official.

Subscribe

Receive daily email updates:

Subscribe to the Defense One daily.

Be the first to receive updates.

As of June 10, the agency said none of the images had been identified “on the Dark Web or internet,” and they will continue to monitor for any “unauthorized disclosure.” The agency said officials were first made aware of the breach on May 31.

According to the spokesperson, early evidence indicated the subcontractor had violated the security and privacy protocols outlined in the agreement. None of the agency’s internal networks or databases were infiltrated during the breach, they said.

“CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor,” the spokesperson said in a statement. The agency has already alerted Congress, other law enforcement agencies and cybersecurity organizations about the breach, and they are investigating the incident, according to the spokesperson.

Though the agency wouldn’t name the breached contractor, the Washington Post reported an early copy of CBP’s public statement included the name “Perceptics” in the title. Perceptics, a Tennessee-based company that’s worked with CBP since 1982, had been hacked last month, according to Motherboard. The company’s license plate readers are reportedly deployed at dozens of checkpoints along the U.S.-Mexico border.

In recent years, CBP has expanded its use of biometric technology to keep tabs on the people entering and exiting the country. The agency currently has facial recognition systems deployed in some capacity at 16 airports and three border checkpoints around the country, and it plans to ramp up those efforts significantly in the years ahead.

Though officials said no biometric information was exposed in the breach, critics of the technology used the incident to highlight the potential risks of the government collecting such sensitive personal information.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” House Homeland Security Committee Chairman Bennie Thompson said in a statement on the recent data breach. “Unfortunately, this is the second major privacy breach at DHS this year,” he said, referring to a leak that exposed information on 2.3 million disaster survivors collected by the Federal Emergency Management Agency.

Thompson said he plans to hold a hearing on the Homeland Security Department’s use of biometric information in July.

Editor’s Note: This article was updated with additional statements from Customs and Border Protection.

Jack Corrigan reports on cyber and national security issues. Before joining Nextgov in 2017, he wrote for multiple publications around his hometown of Chicago. Jack graduated from Northwestern University with degrees in journalism and economics.
Full bio

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Defenseone.com does not monitor comments posted to this site (and
has no obligation to), it reserves the right to delete, edit, or move any material that it deems
to be in violation of this rule.